Some websites use a simple trick to keep their cryptocurrency miners scripts running in the background even when the user has closed the browser window.
In many cases the scripts are used as an alternative monetization model to banner ads. Recently, the Pirate Bay was spotted using the Coinhive browser-based cryptocurrency miner service.
The scripts can mine cryptocurrencies as long as the visitors are on their site, they lost access to the computer processor and associated resources when the Window is closed.
Experts from security firm Malwarebytes have discovered that some websites use a simple trick to keep their cryptocurrency mining scripts running in the background even when the user has closed the browser window.
The technique leverages a hidden pop-under browser window that is opened by the mining window and that fits behind the taskbar and hides behind the clock on Microsoft’s Windows computer.
This hidden window is used to run the crypto-miner code consumes CPU cycles and power from visitor’s computer until he will not spot the window and close it.
“The trick is that although the visible browser windows are closed, there is a hidden one that remains opened. This is due to a pop-under which is sized to fit right under the taskbar and hides behind the clock.” reads the blog post published by MalwareBytes.
“The hidden window’s coordinates will vary based on each user’s screen resolution, but follow this rule:
- Horizontal position = ( current screen x resolution ) – 100
- Vertical position = ( current screen y resolution ) – 40
If your Windows theme allows for taskbar transparency, you can catch a glimpse of the rogue window. Otherwise, to expose it you can simply resize the taskbar and it will magically pop it back up:”
The technique is simple as efficient, it is difficult to identify and able to bypass most ad-blockers. Experts observed that the cryptocurrency miners run from a crypto-mining engine hosted by Amazon Web Servers.
“This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself. Closing the browser using the “X” is no longer sufficient.” continues the post.
“The more technical users will want to run Task Manager to ensure there is no remnant running browser processes and terminate them. Alternatively, the taskbar will still show the browser’s icon with slight highlighting, indicating that it is still running.”
To remain under the radar, the code of cryptocurrency miners runs in the hidden browser maintains CPU usage threshold to a medium level.
These scripts work on the latest version of Google’s Chrome web browser running on the most recent versions of Microsoft’s Windows 7 and Windows 10.
Users can spot miner windows by looking for any browser windows in the taskbar or running the Task Manager on their computer to ensure there is no running browser processes that are consuming CPU resources.
Some antivirus software block cryptocurrency miners, an alternative is represented by web browser extensions, like No Coin, that automatically block in-browser cryptocurrency miners.
Unfortunately, No Coin still not support Microsoft Edge, Apple Safari, and Internet Explorer.
(Security Affairs – cryptocurrency miners, hacking)
The post Cryptocurrency Miners hidden in websites now run even after users close the browser appeared first on Security Affairs.